Executive Summary: International data transfers
By using web analytics tools you transmit data to the third parties providing the service. If the third-party provider is located outside the European Economic Area (EEA), the operator must comply with the regulatory framework for international data transfers under the General Data Protection Regulation (GDPR).
The transfer of personal data to third parties outside the EEA can be based solely on user consent if the third country, where the data recipients are located, has an adequacy decision by the EU Commission, i.e. confirmation of an adequate level of data protection. If such is not given, user consent is not a sufficient legal basis and the transfer needs an alternative justification.
Following the invalidation of the EU-U.S. Privacy Shield by the CJEU Schrems II ruling, practically the only remaining option for the data transfer to third-party providers based in the U.S., such as Google Analytics, is to rely on standard contractual clauses.
However, according to the ruling even if standard contractual clauses are in place, you must provide “supplementary measures” to protect against access by U.S. authorities and to ensure effective legal protection for data subjects against unauthorized access.
According to the guidelines of the European Data Protection Board (EDPB), pseudonymization is an effective supplementary measure as long as the singling-out or re-identification of individual users is not possible.
For the UK, no longer a member of the EU, different rules may apply.
Please be aware that this only serves informational purposes and does not constitute legal advice.
Facebook Tracking declared unlawful under GDPR by the Austrian DPA
In a recently published decision, the Austria DPA finds Facebook's tracking practices violate GDPR and Schrems II.
Switzerland's new data protection law: How to become compliant
On September 1, Swiss companies must have switched to privacy-compliant tracking. JENTIS offers the most effective solution for maximum data protection and data quality.
EU Parliament: Why MEPs rejected the Data Privacy Framework in committee
Our analysis of the opinions voiced on the Data Privacy Framework and what they mean for the implementation process.